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Abstract. We propose an abstraction-based model checking method which relies on re- 
finement of an under-approximation of the feasible behaviors of the system under analysis. 
The method preserves errors to safety properties, since all analyzed behaviors are feasible 
by definition. The method does not require an abstract transition relation to be gener- 
ated, but instead executes the concrete transitions while storing abstract versions of the 
concrete states, as specified by a set of abstraction predicates. For each explored transition 
the method checks, with the help of a theorem prover, whether there is any loss of precision 
introduced by abstraction. The results of these checks are used to decide termination or 
to refine the abstraction by generating new abstraction predicates. If the (possibly infi- 
nite) concrete system under analysis has a finite bisimulation quotient, then the method 
is guaranteed to eventually explore an equivalent finite bisimilar structure. We illustrate 
the application of the approach for checking concurrent programs. 



Over the last few years, model checking based on abstraction-refinement has become a 
popular technique for the analysis of software. In particular the abstraction technique 
of choice is a property preserving over-approximation called predicate abstraction [T5] 
and the refinement removes spurious behavior based on automatically analyzing abstract 
counter-examples. This approach is often referred to as CEGAR (counter-example guided 
automated refinement) and forms the basis of some of the most popular software model 
checkers [H [22] - Furthermore, a strength of model checking is its ability to automate 
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the detection of subtle errors and to produce traces that exhibit those errors. However, 
over-approximation based abstraction techniques are not particularly well suited for this, 
since the detected defects may be spurious due to the over-approximation — hence the 
need for refinement. We propose an alternative approach based on refinement of under- 
approximations, which effectively preserves the defect detection ability of model checking 
in the presence of aggressive abstractions. 

The technique uses a combination of (explicit state) model checking, predicate ab- 
straction and automated refinement to efficiently analyze increasing portions of the feasible 
behavior of a system. At each step, either an error is found, we are guaranteed no error 
exists, or the abstraction is refined. More precisely, the proposed model checking technique 
traverses the concrete transitions of the system and for each explored concrete state, it stores 
an abstract version of the state. The abstract state, computed by predicate abstraction, is 
used to determine whether the model checker's search should continue or backtrack (if the 
abstract state has been visited before). This effectively explores an under-approximation of 
the feasible behavior of the analyzed system. Hence all counter-examples to safety proper- 
ties are preserved. 

Refinement uses weakest precondition calculations to check, with the help of a theorem 
prover, whether the abstraction introduces any loss of precision with respect to each explored 
transition. If there is no loss of precision due to abstraction (we say that the abstraction 
is exact) the search stops and we conclude that the property holds. Otherwise, the results 
from the failed checks are used to refine the abstraction and the whole verification process is 
repeated anew. In general, the iterative refinement may not terminate. However, if a finite 
bisimulation quotient [24] exists for the system under analysis, then the proposed approach 
is guaranteed to eventually explore a finite structure that is bisimilar to the original system. 

The technique can also be used in a lightweight manner, without a theorem prover, 
i.e. the refinement guided by the exactness checks is replaced with refinement based on 
syntactic substitutions [26] or heuristic refinement. The proposed technique can be used for 
systematic testing, as it examines increasing portions of the system under analysis. In fact, 
our method extends existing approaches to testing that use abstraction mappings [THJ, [35] , 
by adding support for automated abstraction refinement. 

Our approach can be contrasted with the work on predicate abstraction for modal 
transition systems (161 131 j . used in the verification and refutation of branching time temporal 
logic properties. An abstract model for such logics distinguishes between may transitions, 
which over-approximate transitions of the concrete model, and must transitions, which 
under-approximate the concrete transitions (see also [21 [TUl [TTJ [30]). As we show in the 
next section (and we discuss in more detail in Section [6]), the technique presented here 
explores and generates a structure which is more precise (contains more feasible behaviors) 
than the model defined by the must transitions, for the same abstraction predicates. The 
reason is that the model checker explores transitions that correspond not only to must 
transitions, but also to may transitions that are feasible. 

Moreover, unlike [TH [31] and over- approximation based abstraction techniques [HE], 
the under-approximation and refinement approach does not require the a priori construction 
of the abstract transition relation, which involves exponentially many theorem prover calls 
(in the number of predicates), regardless of the size of (the reachable portion of) the analyzed 
system. In our case, the model checker executes concrete transitions and a theorem prover 
is only used during refinement, to determine whether the abstraction is exact with respect 
to each executed transition. Every such calculation makes at most two theorem prover 
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Figure 1: (a) Concrete system (b) May abstraction using predicate p = x < 2 (c) Must 
abstraction using p (d) Concrete search with abstract matching using p (e) Con- 
crete search with abstract matching using predicates p and q = x < 1 



calls, and it involves only the reachable state space of the system under analysis. Another 
difference with previous abstraction techniques is that the refinement process is not guided 
by the spurious counter-examples, since no spurious behavior is explored. Instead, the 
refinement is guided by the failed exactness checks for the explored transitions. 

To the best of our knowledge, the presented approach is the first predicate abstraction 
based analysis which focuses on automated refinement of under-approximations with the 
goal of efficient error detection. We illustrate the application of the approach for checking 
safety properties in concurrent programs. 

The rest of the paper is organized as follows. Section [2] shows an example illustrating our 
approach. Section [3] gives background information. Section [5] describes the main algorithm 
for performing concrete model checking with abstract matching and refinement. Section [5] 
discusses correctness and termination; Section[6]discusses other interesting properties for the 
algorithm. Section [7] proposes extensions to the algorithm. Section [8] illustrates applications 
of the approach, Section [9] discusses related work, and Section [10] concludes the paper. 



2. Example 

The example in Figure [T] illustrates some of the main characteristics of our approach. 
Figure [T] (a) shows the state space of a concrete system that has only one variable x\ 
states are labelled with the program counter (e.g. A, B, C, . . . ) and the concrete value 
of x. Figured] (b) shows the abstract system induced by the may transitions for predicate 
p = x < 2. Figure CD (c) shows the abstract system induced by the must transitions for 
predicate p. 

Figure Q] (d) shows the state space explored using our proposed approach, for an ab- 
straction specified by predicate p. Dotted circles denote the abstract states which are 
stored, and used for matching, during the concrete execution of the system. The approach 
explores only the feasible behavior of the concrete system, following transitions that cor- 
respond to both may and must transitions, but it might miss behavior due to abstract 
matching. For example, state (E, 1) is not explored, assuming a breadth-first search, since 
(D,0) was matched with (D, 1) — both have the same program counter and both satisfy 
p. Notice that, with respect to reachable states, the produced structure is a better under- 
approximation (it "covers" more states) than the must abstraction. Figure [1] (e) illustrates 
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concrete execution with abstract matching, after a refinement step, which introduced a new 
predicate q = x < 1. The resulting structure is an exact abstraction of the concrete system. 

3. Background 

3.1. Program Model and Semantics. To make the presentation simple, we use as a 
specification language a guarded commands language over integer variables. Most of the 
results extend directly to more sophisticated programming languages. Let V be a finite set 
of integer variables. Expressions over V are defined using standard boolean (=, <, >) and 
binary (+, — , •, ...) operations. 

Definition 1. A model is a tuple M = (V, T). T = {t\, . . . , t^} is a finite set of transitions, 
where U = (gi(x) i — ► x := ej(x)), g%{x) is a guard and ei{x) are assignments to the variables 
represented by tuple x. 

Throughout the paper, we write concurrent assignments x := ei{x)) as sequences, to 
improve readability. The semantics of program models uses transition systems. 

Definition 2. A transition system over a finite set of atomic propositions AP is a tuple 

(S,R,so,L) where S is a (possibly infinite) set of states, R = {— ^} is a finite set of 

deterministic transition relations: —^Q S x S, so is an initial state, and L : S — > 2 AP is a 
labeling function. 

State s is reachable if there exists a sequence of zero or more transitions from the initial 

state such that sq S\ -^-> S2--- — ^ s n = s (denoted sq — >* s). The set of reachable 

labelings RL(T) is {L(s) \ s £ S : sq — s}. The notation s /— > means that there is no i 
transition from the state s. 

Definition 3. The concrete semantics of model M is transition system [M] = (S, {— —*}, 
So,L) over AP, where: 

• S = 2^^ z , i.e. states are valuations of variables, 

• s — 1 —> s' 44> s \= gi A s' = ej(s); the semantics of guards (boolean expressions) and 
updates is as usual; guards are functions (V — ► Z) — > {true , false} , written as s (= ^; 
updates are functions ej : (V — > Z) — > (V — > Z), 

• so is the zero valuation (Vw G V : so(' u ) = 0), 

• L(s) = {p £ AP \ s \= p}. 

3.2. Strongest Postcondition and Weakest Precondition. Let be a predicate rep- 
resenting a set of states. Then the strongest postcondition of 4> with respect to transition 

i is sp((j),i) = 3s'. (s' —> s A <p(s')); sp(4>,i) defines the successors by transition i of the 
states characterized by (p. The weakest precondition of <j) with respect to transition i is 

wp((f>,i) = Vs'.(s — 1 —> s' => </>(s')); wp((f>,i) characterizes the largest set of states whose 
successors by transition i satisfy <j). For guarded commands, the weakest precondition can 
be expressed as wp(<f>,i) = (gi 4>[ei(x) / x\) . We will use the following property [18]: 
sp((j>, i) =>• 4> iff 4> ^ iwp(i) 0')- 
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3.3. Predicate Abstraction. Predicate abstraction is a special instance of the framework 
of abstract interpretation [9] that maps a (potentially infinite state) transition system into 
a finite state transition system via a set of predicates $ = {0i, . . . , n } over the program 
variables. Let M n be a set of bitvectors of length n. We define abstraction function a<j> : S — » 
B n , such that a<j>(s) is a bitvector &1&2 . . . b n such that 6j = 1 s |= </>j. Let <E> S be the set of 
all abstraction predicates that evaluate to true for a given state s, i.e. $ s = {4> £ <1> | s \= 4>}. 
For succinctness we sometimes write a$(s) to denote A^e$ s A A</>£$ s 

We also give here the definitions of may and must abstract transitions. Although not 
necessary for formalizing our algorithm, these definitions clarify the comparison with related 
work. For two abstract states (bitvectors) a\ and 0,2'- 

• a\ —^must 0-2 iff for all concrete states s\ such that a$(si) = a\, there exists 
concrete state S2 such that a$(s2) = 02 and s\ s%, 

• a\ —^may «2 iff there exists concrete state si such that a$(si) = a\ and there exists 
concrete state S2 such that a$(s2) = 0,2, such that si — — > S2. 

Algorithms for computing abstractions using over-approximation based predicate ab- 
straction are given in e.g. [H [18] (they compute may abstract transitions automatically, 
with the help of a theorem prover). In the worst case, these algorithms make 2 n x n x 2 
calls to the theorem prover for each program transition. 

3.4. Bisimulation. 

Definition 4. A symmetric relation R C SxS is a bisimulation relation iff for all (s, s') € i2: 

• L(s) = L(s') 

• For every s — —> s\ there exists s' s[ such that R(si, s[) 

The bisimulation is the largest bisimulation relation, denoted ~. Two transition systems 
are bisimilar if their initial states are bisimilar. As ~ is an equivalence relation, it induces a 
quotient transition system whose states are equivalence classes with respect to ~ and there 
is a transition between two equivalence classes A and B if 3si € A and 3s2 £ B such that 

si s 2 . 

4. Concrete Model Checking with Abstract Matching 

4.1. Algorithm. Figure [2] shows the reachability procedure that performs model checking 
with abstract matching (ckSearch) . It is basically concrete state space exploration with 
matching on abstract states; the main modification with respect to classical state space 
search is that we store a$(s) instead of s. The procedure uses the following data structures: 

• States is a set of abstract states visited so far, 

• Transitions is a set of abstract transitions visited so far, 

• Wait is a set of concrete states to be explored. 

The procedure performs validity checking, using a theorem prover, to determine whether 
the abstraction is exact with respect to each explored transition — see discussion below. The 
set maintains the list of abstraction predicates. The procedure returns the computed 
structure and a set of new predicates that are used for refinement. Note that we never 
abstract the program counter. 
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proc «Search(M, $) 

&new = add so to Wait; add a$(so) to States 
while Wait ^ do 

get s from Wait 
L(a$(s)) = {d£ | s |= a} 
foreach i from 1 to n do 
if s \= g% then 

if a$(s) =4* <7j is not valid 
then add gi to $ new) fi 

s' = 6i(s) 

if a$(s) =4> a$,(s')[ei(x)/x] is not valid 

then add predicates in a$(s')[ei(x)/x] to $ neffi fi 
if a$(s') States then 

add s' to Wait 

add a$(s') to States 

fi 

add (a$(s), i, a$(s')) to Transitions 

else 

if a$(s) =4> -i^j is not valid 
then add gi to § new fi 

fi 
od 

od 

A = (States, Transitions, a$(so),L) 
return (A,$ new ) 
end 



Figure 2: Search procedure with checking for exact abstraction 

Figure [3] gives the iterative refinement algorithm for checking whether M can reach an 
error state described by ip (which is a boolean combination of propositions from AP). The 
algorithm starts with AP as the initial set of abstraction predicates. At each iteration of the 
loop, the algorithm invokes procedure ckSearch to analyze an under-approximation of the 
system, which either violates the property, it is proved to be correct (if the abstraction is 
found to be exact with respect to all transitions), or it needs to be refined. Counter-examples 
are generated as usual (with depth-first search order using the stack, with breadth-first 
search order using parent pointers). 

4.2. Checking for Exact Abstraction and Refinement. We say that abstraction func- 
tion a$ is exact with respect to transition s — —* s' iff for all s\ such that a$(s) = a$(si) 
there exists s' x such that a$(s' 1 ) = a$(s') and s\ — 1 —> s[. In other words, s — l —* s' is exact 

with respect to ce$ iff a$(s) -—> m ust a$>(s'). 

Moreover, the abstraction function a$ is exact with respect to a state s iff the following 

conditions hold: (1) a$ is exact with respect to all transitions s — > s' and (2) if s -f^> then 

for all s\ such that a$(s) = a$(si) we have s\ ■/—*. 
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proc RefinementSearch(M, (p) 
j = l;$j = AP 
while true do 

(Ai,$j + i) = ckSearch(M, <frj) 

if <p is reachable in Aj then return counter-example fi 
if 3>j+i = $j then return unreachable fi 
3 = 3 + 1 

od 
end 



Figure 3: Iterative refinement algorithm 

The notion of exactness is related to completeness in abstract interpretation (see |14j). 
which states that no loss of precision is introduced by the abstraction. Checking that the 

abstraction is exact with respect to a concrete transition s — s' amounts to checking that 
sp(a$(s)) =>■ a$(s'), equivalent to a$(s) Top(a$(s'), i), is valid. 

Note that wp(a$(s'), i) = (ft => a$(s')[ei(x)/x]). Therefore a$(s) =>• iop(a$(s'),i) is 
equivalent to a$(s) (ft =4> a$(s')[ei(x)/x]). The abstraction is exact with respect to 
state s when the following conditions hold: (1) a$(s) =>■ (ft A a$(s')[ej(x)/x]), equivalent 
to (a$(s) =4> ft) A (a$(s) =>• a$(s')[ei(x)/x]), is valid for each z such that s \= gi and 
(2) a$(s) -ift is valid for each i such that s ft. 

Checking the validity for these formulas is in general undecidable. As is customary, if 
the theorem prover can not decide the validity of a formula, we assume that it is not valid. 
This may cause some unnecessary refinement, but it keeps the correctness of the approach. 
If the abstraction can not be proved to be exact with respect to some transition, then 
the new predicates from the failed formula are added to the set of abstraction predicates. 
Intuitively, these predicates will be useful for proving exactness in the next iteration. 

5. Correctness and Termination 

In this section we discuss the main properties of the iterative refinement algorithm. We 
first state the main theorems, after which we give the technical lemmas and proofs (the 
reader may wish to skip this technical material on the first reading). 

5.1. Main Results. We first show that, if the iterative algorithm terminates then the 
result is correct and moreover, if the error state is unreachable, the output structure is 
bisimilar to the system under analysis: 

Theorem 1. (Correctness) If RefinementSearch(M, <p) terminates then: 

• if it returns a counter-example, then it is a real error, 

• if it returns 'unreachable', then the error state is indeed unreachable in M and 
moreover the computed structure is bisimilar to [MJ. 

In general, the proposed algorithm might not terminate (the reachability problem for 
our modeling language is undecidable). However, the algorithm is guaranteed to eventually 
find all the reachable labelings (including all the reachable errors) of the concrete program, 
although it might not be able to detect that (to decide termination). Moreover, if the 
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(reachable part of the) system under analysis has a finite bisimulation quotient, then the 
algorithm eventually produces a finite bisimilar structure. 

Theorem 2. (Termination) Let the oSearch use breadth-first search order and let A±, 
A2, ... be a sequence of transition systems generated during iterative refinement performed 
by RefinementSearch(M, 99). Then 

• there exists j such that RL(Aj) = RL({M}), 

• if the reachable part of the bisimulation quotient is finite, then there exists j such 
that Aj ~ {MJ. 

Note that a consequence of this theorem is that if an error is reachable it is eventually 
reported by our algorithm. Also note that for the second part of the theorem, we do 
not require that both the reachable and unreachable parts of the system have a finite 
bisimulation quotient, but only the reachable part needs to be finite (of course, if both the 
reachable and unreachable parts are finite, then it follows that the reachable part is also 
finite; the converse is not true). 

5.2. Technical Material. Here we provide several technical lemmas and the proofs for the 
two main theorems. We use the following notation: a state s is visited during the search 
if it is inserted into Wait; a state s is considered during the search if it is generated as a 
successor of some state in the foreach loop; a state s± is matched to a state S2 if the check 
a$(si) States fails because a$(si) = a$(s2) and S2 was visited before. 

We say that transition s — s' is exact if a<j> is exact with respect to it. Note that 
sometimes we let aSEARCH(M, <3?) denote just the structure A computed by the algorithm 
and not the tuple (A, Q> new )- Also note that RefinementSearch starts with AP as the 
initial set of predicates. For the proofs, we need to refine the definition of bisimulation. 

Definition 5. A symmetric relation R C S x S is a /c-bisimulation relation iff: 

• for all (s,s') G R : L{s) = L(s') 

• if k > then there exists (k — l)-bisimulation relation R' such that for all (s, s') £ 

R : (Vs -U si => 3s' -U s[ A s[) G R') 

The fc-bisimulation is the largest fc-bisimulation relation, denoted Note that the 
bisimulation is a fc-bisimulation relation for every k. 

Proof of Theorem 1. We first show that the reachable labelings computed by the iterative 
algorithm RefinementSearch is indeed an under- approximation of the reachable labelings 
of the program under analysis (Lemmas [T] and [2]) . Therefore, all the reported counter- 
examples correspond to real errors. We then show that when RefinementSearch reports 
'unreachable' (i.e. when the set $ neu) of predicates returned for the current iteration is 
equal to the set $ of predicates from the previous iteration) then the computed structure 
A is bisimilar to [M] (Lemmas [3] and HJ . 

Lemma 1. If a state s is reachable in [Af] via exact transitions with respect to a&, then 
there exists s' such that s' is visited during the oSearch(M, <3?) and a$(s) = a$(s'). 

Proof: By induction with respect to the number of exact transitions from the initial 
state necessary for reaching the state s. Basic step (k = 0) is trivial. For the induction 

step, suppose that state s is reachable via sequence of exact transitions: sq . . . —> 
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Sk Sk+i = s. By the induction hypothesis there exists s' k such that s' k is visited and 

a$(s' k ) = a$(sfc). Because the abstraction is exact with respect to Sk s, there must be 

s' such that s' k s' and a$(s') = a$(s). This successor s' is considered during the visit 
of s' k . There are two cases to be analyzed. 

(1) s' is added to Wait and later visited, 

(2) s' is matched to a previously visited state s" such that a$(s') = 

In both cases we get that some state with the same abstract counterpart as s is visited 
during the search. □ 

Lemma 2. j RL(oSearch(M, $)) C RL({M}). 

Proof: It is easy to verify that the following is an invariant of the search: 'Wait' is a subset 
of reachable states in \M\. The lemma follows. □ 

Lemma 3. Let AP C If for all reachable states s±,S2 it holds that a^(s\) = a<j>(s2) => 
si ~ s 2 , then aSEARCH(M, $) ~ [MJ. 

Proof: Consider relation i? defined as: sii?S2 iff si = S2 or si is matched to S2- Then R is 
a bisimulation relation between oSearch(M, $) and \M\. □ 

Lemma 4. Let (A, <f> new ) = «Search(M, <J>). If $ ne ^ = <£, then A ~ [M]. 

Proof: Due to Lemma [3] it is sufficient to show that if <& new = $ then a$ induces a 
bisimulation relation on the reachable part of the transition system [M]. We first show 
that every reachable state in [M] is reached by exact transitions. We proceed on induction 
by the number of transitions from the initial state to s. Basic step (k = 0) is trivial. For 
the induction step, suppose that state s is reachable via a sequence of exact transitions of 
length k. By Lemma [T] some state s' such that a$(s) = a$(s') is visited during the search. 
During the visit of the state s' we check exactness of the abstraction (see Section 14. 2p . 

Since & new = $ it follows that the abstraction is exact for s', i.e., s' -f^ iff s -f^> and for 

every outgoing transition s' — 1 —> s[ and a(s) = a(s') there exists si such that s — 1 —> s% 
and a(si) = a(s' 1 ). Since i is deterministic, it follows that s± is the only successor of 

s by transition i and transition s — si is also exact. Moreover, it satisfies the same 
criterion for bisimulation, i.e. for all s" such that a$(s) = a$(s") there exists s" such that 

= and s" —> s'{. □ 

Proof: [of Theorem [1] The first claim follows from the fact that aSEARCH produces an 
under-approximation (Lemma [2]). The second claim follows from Lemma [H □ 

Proof of Theorem 2. In order to prove Theorem 2, we study sequences {Aj}JL G of transition 
systems generated during RefinementSearch. We assume that (^Search uses breadth- 
first search order. The basic idea of the proof is that any two states that are in different 
bisimulation classes (s s') are eventually distinguished by the abstraction function, i.e. 
3j such that a$^(s) ^ a^.(s') (Lemma EJ). Moreover, each bisimulation class of [M] 
is eventually visited by RefinementSearch (Lemma [6]) and the finite set of reachable 
labelings emerges (Lemmas [7] and E]) . 

Lemma 5. Let {Aj}JL be a sequence of transition systems generated during an infinite run 
of RefinementSearch and Inf M = {s \ there exists infinitely many j such that s £ Aj}. 
If s ^ s' and s € Inf M then there exists j such that ct$ fc (s) 7^ a$ k (s') for all k > j. 
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Proof: By induction with respect to k where k is the smallest number such that s ^j- s ' ■ 
Basic step: for k = it means that L(s) 7^ L(s') and therefore a$ 1 (,s) 7^ a$ 1 (s / ). Induction 

step (k + 1): Let si,s^ be such that s s\,s' — — > s' x and s\ 9^ s[. Since s is visited 
in infinitely many iterations of ckSearch, s± is considered in infinitely many iteration of 
oSearch and therefore one of the following must hold: 

(1) State s\ € Inf M . Then we can apply induction hypothesis, i.e. there exits j such 
that a$ fe (si) 7^ a^ k (s' 1 ) for all k > j. 

(2) State s\ is matched to some state in infinitely many runs of oSearch. Since we use 
breadth-first order, there are only finitely many states to which it can be matched 
(with breadth-first search order the state can be matched only to states with lower 
or equal distance from the initial state). Therefore, there exists a state S2 such 
that s\ is matched to S2 in infinitely many runs of oSearch, this means that 
a *j( s i) (^2) for all j. From the induction hypothesis we get that si ~^ S2 
and hence S2 Moreover, from the induction hypothesis we get that there 
exists m such that a$ k (s2) 7^ a$ fe (s / 1 ) for all k > m. Therefore a$ fe (si) 7^ a$ k (s' 1 ) 
for all k > m. 

In both cases we get that there exists j such that is not exact with respect to s ——> s%, 
therefore wp(a^ j (si), U) will be included in ^+1 and therefore a$ J+1 (si) 7^ a$ J+1 (s' 1 ). □ 

Lemma 6. For each reachable bisimulation class B of \M\ there exists a state s 6 B such 
that s is visited by RefinementSearch(M, tp) infinitely often. 

Proof: By induction with respect to the length of the shortest path by which some state 
from B is reachable. Basic step is obvious. Induction step: let state from B be reachable 

via path sq . . . > Sk — ^ Sfc+i- By induction hypothesis some state s' ~ Sk is reached 

during the refinement search infinitely often. Consider state s" such that s' s" . It holds 
that s" ~ Sk+i and from Lemma [5] we get that s" is visited infinitely often. □ 

Lemma 7. Let {A^^Lq be a sequence of transition systems generated during an infinite 
run of RefinementSearch(M, ip). There exists j such that RL(Aj) = RL(\M\). 

Proof: For each I € i?L([Mj) we choose some bisimulation class B such that s € B => 
L(s) = I. In this way we obtain a finite set of bisimulation classes {B\, . . . , B^} which 
covers all labels in i?L([[Af]). Note that i?L([Mj) is finite because AP is finite. Now we 
show that there exists an iteration in which at least one state from each of these classes is 
visited. This is done similarly to the proof of Lemma [6l □ 

Lemma 8. Let {A/}!^Lo ^ e a sec i uence of transition systems generated during an infinite 
run of RefinementSearch. If the reachable part of the bisimulation quotient is finite, 
then there exists j such that Aj ~ [M]. 

Proof: By contradiction. Suppose that Vj : Aj 7^ [M\. From Lemma [3] we get that there 
exists reachable s,s' such that Vj : a^(s) = a^^s') and s ^ s'. We show (similarly to the 
proof of Lemma [1]) that there exists such s which is visited infinitely often. From Lemma [5] 
we get that eventually a^. (s) 7^ a^.^s') which is the contradiction. □ 

Proof: [of Theorem [2] This theorem is a direct consequence of Lemmas [7] and [HJ □ 
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pc = A y > i — ► y := y + x 
pc = Ay < i — ► pc := 1 

Figure 4: Example illustrating non-terminating refinement for finite state systems 

6. Properties 

Having discussed correctness and termination, we now turn to other interesting prop- 
erties of the algorithm. 

6.1. Non-termination for Finite State System. We should note that the proposed 
iterative algorithm is not guaranteed to terminate even for a finite state program. This 
situation is illustrated by the example from Figure HJ x and y are initialized to zero. The 
property that we check is that "pc=l" is unreachable. Although the program is finite state 
(and therefore the problem can be easily solved with classical explicit model checking), it is 
quite difficult to solve using abstraction refinement techniques. The iterative algorithm does 
not terminate on this example: it keeps adding predicates y > 0, y + x > 0, y + 2x > 0, . . .. 
Note that, in accordance with Theorem [21 it eventually produces a bisimilar structure. 
However, the algorithm is not able to detect termination, and it keeps refining indefinitely. 
The reason is that the algorithm keeps adding predicates that refine the unreachable part 
of the system under analysis. 

Also note that the same problem occurs with over-approximation based abstraction 
techniques that use refinement based on weakest precondition calculations [7J [26] . Those 
techniques introduce the same predicates. Moreover, unlike our technique, they will keep 
generating spurious counter-examples. For this example no may/must abstraction based on 
predicates and refinement with weakest precondition calculations can produce a structure 
that is bisimilar to the concrete system (the concrete system is rather trivial — it has only 
one state). 

This example also illustrates another difference between the method presented here 
and over- approximation based predicate abstraction with refinement, in particular [26] . 
If the analyzed system has a reachable finite bisimulation quotient then our algorithm is 
guaranteed to find it (see Theorem [2] and Lemma [8]). In contrast, the method in |26j will 
fail to compute a finite state abstraction for the example; this result seems to contradict the 
bisimulation completeness claim (Theorem 3) from |26| . We conjecture that the method 
in [26] is not guaranteed to compute a finite state abstraction unless both the reachable and 
unreachable quotient is finite. 

To solve the problem of non-termination for finite state systems, we propose to use the 
following heuristic. If there is a transition for which we cannot prove that the abstraction 
is exact in several subsequent iterations of the algorithm, then we add predicates describing 
the concrete state; i.e. in the example from Figure H] we would add predicates x = and 
y = 0. The abstraction eventually becomes exact with respect to each transition. And since 
the number of reachable transitions is finite, the algorithm must terminate. 

Corollary 1. If the reachable part of \M\ is finite state then the modified algorithm 
terminates. 
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Program State space 




Figure 5: Example illustrating non-monotonic refinement 



6.2. Search Order and Non-Monotonicity. The search order used in oSearch (depth- 
first or breadth-first) influences the size of the generated structure, the newly computed 
predicates, and even the number of iterations of the main algorithm. If there are two 
states si and S2 such that a$(si) = a$(s2) but si ^ S2 then, depending on whether s\ 
or S2 is visited first, different parts of the transition system will be explored. For our 
implementation, we use breadth-first search order. 

Also note that the refinement algorithm is non-monotone, i.e. a labeling which is 
reachable in one iteration may not be reachable in the next iteration. However, the algorithm 
is guaranteed to converge to the correct answer. The example in Figure [5] illustrates this 
non-monotonic behavior. Figure [5] (left) shows the transitions of the example program (for 
clarity of presentation, we depict the program in a graphical notation); the program has 
only one variable x; the program counter ranges over A, B, C . . . . Figured] (right) shows 
the whole concrete state space of the program. As usual, states are labeled by the program 
counter and the concrete value of program variable x. Let us consider the first iteration of 
the algorithm, with abstraction predicate x > 3 and with breadth-first search order - the 
following states are visited: (A,0), (B,l), (C,0), (£,2), (£>,0), (£, 2), (E, 4), (£, 4). Assume 
now that the refinement step adds a new predicate x = 1; then, in the second iteration, the 
following states are visited: (A, 0), (£, 1), (C, 0), (C,l), (£7,2), (£>,0), (£>,1), (£,3), (£,2), 
(£,3). States (-£,4) and (£,4) are visited during the first iteration and they are not visited 
during the second one. 
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6.3. Relation to Other Abstractions. We discuss now the relationship between our ab- 
straction based iterative algorithm and other (under- approximating) abstractions, in par- 
ticular with the must abstractions from [30\ [31] and with the abstractions induced by the 
refined definition of must transitions presented in [3]. We first remark that the abstract 
state space explored by our approach is (potentially) a better approximation than the must 
abstraction. This is formulated by the following lemma. 

Lemma 9. Let AP C Then i?L(oSEARCH(M, <£)) is a superset of the reachable labelings 
in the must abstraction induced by <&. 

Proof: The lemma is a direct consequence of Lemma [TJ □ 

As mentioned, the iterative refinement in our algorithm is non-monotonic. A simi- 
lar problem occurs in the context of must abstractions: the set of must transitions is not 
generally monotonically non-decreasing when predicates are added to refine an abstract 
system [161 EI] • This problem is addressed in [301 EI] i by creating hyper must transitions 
(representing sets of must transitions). Note that the approaches presented in [21 [3D1 15T] 
require the a-priori construction of abstract must (and hyper must) transitions and there- 
fore make an exponential number of theorem prover calls. In contrast our approach does 
not require the computation of abstract transitions, since it executes directly the concrete 
transitions (and it only makes theorem prover calls during refinement). 

Recently, Ball et al. [3] defined an extension of the must abstraction based on so called 

must~ transitions: a\ —^ mU st- a i iff f°r an concrete states S2 such that a$(s2) = a2> there 
exists concrete state s\ such that a$(si) = a\ and s\ — 1 —> S2 (for some $). 

They call the classical must transitions must + transitions and they describe a reacha- 
bility analysis that uses both must~ and must + transitions; the set of reachable labelings 
is defined as {L(s) \ s € S : sq — >*Lust- Si — > *must+ s }- This results in an under- 
approximation of the set i?L([M]) and at the same time it is a better under-approximation 
then the one obtained by classical must transitions. 

Here we show that under-approximations based on must + /must' transitions and our 
algorithm based on ^Search are incomparable. The (trivial) example in Figure [6] (a) 
illustrates that ckSearch can be more precise than the analysis based on must + /must~ 
transitions. If we consider the abstraction with respect to a single predicate x > we see 
that the program transition is neither must + nor must' (hence the set of reachable labelings 
produced by the analysis from [3j contains only a labeling x > 0) whereas ckSearch executes 
the transition and finds a labeling x < 0. 

On the other hand, consider the example in Figure [6] (b) and an abstraction with 
respect to a single predicate x > 3. Due to state matching on the states represented by 
(pc = l,x = 1) and (pc = l,x = 2), oSearch computes a different set of labelings, 
depending on which of the first two transitions is traversed first from the initial state. 
Therefore, the resulting set of reachable labelings contains only one of (pc = 3,x < 3), 
(pc = 3,x > 3). Under-approximation based on must + /must~ transitions contains both of 
these labelings. 
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(a) x > i — > x := x — 1 
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Figure 6: Examples showing that under-approximations based on aSEARCH and 
must + j must~ transitions are incomparable 

7. Extensions 

In this section we propose several extensions of the main algorithm. 

7.1. Open Systems. Until now, we have discussed our approach in the context of "closed" 
systems. However, the approach can be extended to handling "open" systems (i.e. programs 
with inputs). In order to model open systems, we extend the guarded commands language 
by allowing assignments of the form x := input, which assigns to program variable x an 
arbitrary value from the input domain (in our case the set of integers) . We can also allow 
the initial values of the program variables to be unspecified, in which case the transition 
system representing the open program has several (possibly unbounded) initial states. 

In order to apply our approach, we need to compute, for each input variable, explicit 
concrete values that drive the concrete execution of the program. What we really want here 
is to pick one input value for each satisfiable valuation of the abstraction predicates. We can 
directly use the original algorithm — it will simply try all the possible values and continue 
the program execution only from values that satisfy the predicate combinations (most of 
the states that contain such input values will be matched if they lead to the same valuation 
of abstraction predicates). This "brute force" approach requires enumerating eventually 
the whole input domain, which is impossible for infinite input domains. Note however that 
the approach might still be very useful at detecting errors. 

Alternatively, we can use a constraint solver for computing the input values that are so- 
lutions of the satisfiable combinations of abstraction predicates (provided that satisfiability 
is decidable for the abstraction predicates). The decision whether to use the "brute force" 
approach or the satisfiability approach depends on the number of abstraction predicates and 
the size of the input domain. With the brute force approach, the the whole input domain 
needs to be enumerated eventually. With the satisfiability approach, there are at most 2 k 
satisfiability queries (where k is number of predicates which depend on the input variable) . 

7.2. Transition Dependent Predicates. The predicates that are generated after the 
validity check for one transition are used 'globally' at the next iteration. This may cause 
unnecessary refinement — the new predicates may distinguish states which do not need 
to be distinguished. To avoid this, we could use 'transition dependent' predicates. The 
idea is to associate the abstraction predicates with the program counter corresponding to 
the transition that generated them. New predicates are then added only to the set of 
the respective program counter. However, with this approach, it may take longer before 
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predicates are 'propagated' to all the locations where they are needed, i.e. more iterations 
are needed before an error is detected or an exact abstraction is found. We need to further 
investigate these issues. Similar ideas are presented in [8l 121] . in the context of over- 
approximation based predicate abstraction. 

7.3. Light-weight Approach. As mentioned, the under-approximation and refinement 
approach can be used in a lightweight but systematic manner, without using a theorem 
prover for validity checking. Specifically, for each explored transition ti refinement adds 
the new predicates from a$(s')[ei(x) / x\, regardless of the fact that the abstraction is exact 
with respect to transition tj. This approach may result in unnecessary refinement. A similar 
refinement procedure was used in [26J for over-approximation predicate abstraction. 

We are also considering several heuristics for generating new abstraction predicates. 
For example, it is customary to add the predicates that appear in the guards and in the 
property to be checked. One could also add predicates generated dynamically, using tools 
like Daikon [13], or predicates from known invariants of the system, generated using static 
analysis techniques. Section [8] shows an example where a statically computed invariant 
helped with the termination of the presented iterative algorithm. 

In order to extend the applicability of the proposed technique to the analysis of full- 
fledged programming languages, we are investigating abstractions that record information 
about the shape of the program heap, to be used in conjunction with the abstraction 
predicates. We have reported about these experiments in [34] . 

8. Implementation and Applications 

We have implemented our approach for the guarded command language. Our imple- 
mentation is done in the language OcamQ and it uses the Simplify theorem prover [12] . 
The implementation has just 590 lines of code (parsing + definition of semantics: 390 lines, 
aSEARCH algorithm: 170 lines, RefinementSearch algorithm: 30 lines). The implemen- 
tation uses several optimizations for reducing the number of theorem prover calls: 

• When updating f nOT for refinement, we add only those conjuncts of a$(s')[ei(x)/x\ 
for which we cannot prove validity. 

• We cache queries to ensure that Simplify is not called twice for the same query. 

• All queries have the form of implication. Before calling the theorem prover for the 
implication, we check whether the right hand side is a tautology (in such case the 
implication is clearly satisfied). The results of these checks are also cached. 

8.1. Experiments. We discuss the application of our implementation for error detection 
and property verification in several multi process programs. The examples are: the ticket 
mutual exclusion protocol, RAX (Remote Agent Experiment), a component extracted from 
an embedded spacecraft-control application, and the bakery mutual exclusion protocol. We 
also analyzed a single process device driver taken from [5J, which is a "classic" example 
analyzed with predicate abstraction techniques. We analyzed defective and correct versions 
of each example program. The RAX and device driver had known errors that we checked 
for. For the other examples, we seeded faults to obtain the defective versions. 
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Table 1: Experimental results 



Note that in the described experiments, we always start the first iteration of the re- 
finement algorithm with the program predicates which occur in guards. All the reported 
results are for the breadth-first search order. 

Table [U summarizes the results for each of the runs of our algorithm. The first part 
of the table reports the analysis results for the defective examples (denoted with the -err 
suffix), while the second part of the table reports the results for the correct examples. For 
each example we report numbers for: refinement iterations, generated concrete states and 
stored abstract states, generated predicates, and queries to the theorem prover. A "-" for 
RAX denotes that our analysis did not finish for this example (see discussion below). Note 
that for the concrete and abstract states, we report separate numbers for each iteration. 
For example, running our tool on the error version of the ticket protocol with two processes 
(ticket2-err) discovered the error after 2 iterations; in the first iteration, the tool gen- 
erated 15 concrete states and it stored 9 abstract states, while in the second iteration, it 
generated 31 concrete states and it stored 17 abstract states. We discuss the experiments 
in more detail below (full details are available at [27]). 

8.2. Ticket Protocol. This is a protocol for mutual exclusion PQ; we use the formalization 
of the algorithm from [6J. The algorithm is based on a simple "ticket" procedure: a process 
which wants to enter the critical section draws a ticket number that is one larger than 
the number held by any other process. The process then waits until all processes with 
smaller numbers are served: this is checked by a "display" variable which shows the value 
of the ticket number which is currently the smallest. The model of the protocol is given in 
Figure [7J The property of interest is mutual exclusion in critical section ( _ >(pc 1 = 2Apc 2 = 
2 V pc 2 = 2 A pc 3 = 2 V pc 1 = 2 A pc 3 = 2)). The state space is infinite (the ticket numbers 
increase without any bound), but it has a finite bisimulation quotient. 

We used our tool to prove successfully that the property holds. We analyzed several ver- 
sions of the protocol. The intermediate analysis results for the protocol with three processes 
are given in Table We report the following results for each iteration of the refinement 
algorithm: the number of generated concrete states, the number of stored abstract states, 
the number of queries to the theorem prover, the number of hits to a queries cache, and the 
newly generated predicates. 
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Figure 7: Ticket protocol (instance for three processes) 
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Table 2: Ticket protocol for three processes: intermediate results 



As discussed, we also seeded an error in the protocol and used our tool for error de- 
tection. The error was seeded by changing the assignment s := s + 1 into s := s + 2. For 
an instance with two processes the error is found after two iterations. For an instance with 
three processes the error state can be reached by suitable interleaving in the first round of 
the protocol and the tool finds the error in the first iteration. 

8.3. RAX. The RAX example (illustrated in Figure [8]) is derived from the software used 
in the NASA Deep Space 1 Remote Agent experiment, which deadlocked during flight |33j . 
We encoded the deadlock check as "pc x = 4 A pc 2 = 5 A w x = 1 A w 2 = 1 is unreachable" . 
The error is found after one iteration; the reported counter-example has 8 steps. 

Note that the state space of the program is unbounded, as the program keeps incre- 
menting the counters e x and e 2 , when pc 2 = 2 and pc\ = 6, respectively. We also ran our 
algorithm to see if it converges to a finite bisimulation quotient. Interestingly, the algorithm 
does not terminate for the RAX example, although it has a finite reachable bisimulation 
quotient. The results are shown in Table [3l However, if we assume that the counters in the 
program are non-negative, i.e. we introduce two new predicates, el > 0, e2 > (which can 
be easily discovered using static analysis), then the algorithm terminates after two itera- 
tions. The tool reports the following results : 69 concrete and 44 abstract states explored 
in the first iteration, 101 concrete and 65 abstract states in the second iteration, two new 
predicates and 40 queries. 
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Figure 8: RAX example 
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Table 3: RAX example: intermediate results 



8.4. Bakery Protocol. This is another well-known protocol for mutual exclusion. The 
protocol is similar to the ticket protocol (the ticket protocol requires special hardware in- 
struction like Fetch-and-Add, whereas the bakery protocol is applicable without any special 
instructions). The model has 10 variables. The property of interest is again mutual ex- 
clusion. The state space is infinite with a finite bisimulation quotient. The property can 
be proved by the algorithm in three iterations, using 31 predicates. For this example, we 
seeded an error by changing a guard num\ < nurriQ into num\ > nurriQ which creates a 
nontrivial error in the protocol. The tool can find the error in the first iteration. 



8.5. Device Driver. This is a "classic" example analyzed using predicate abstraction [5]. 
The property of interest is the correct use of a lock. Our tool can prove that the property 
holds after one iteration (using just the predicates from guards): the algorithm explores 
10 concrete states, 9 abstract states and casts 3 queries to the theorem prover. For an 
erroneous version of the driver, the tool finds an error in the first iteration as well. 



8.6. Discussion. These preliminary experiments show the merits of our approach. The ap- 
proach proves to be effective in computing finite bisimilar structures of non-trivial infinite 
state systems and in finding errors using under-approximation based predicate abstraction. 
Of course, much more experimentation is necessary to really assess the practical benefits 
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of the proposed technique and a lot more engineering is required to apply it to real pro- 
gramming languages. Extensions for handling complex features such as pointers, arrays and 
procedures, are tedious but conceptually not very hard. 

We also note that in some cases (e.g. ticket2, ticket3 and RAX) the number of ex- 
plored concrete and abstract states stays the same after the first iteration; however our 
algorithm needs more than two iterations to discover all the necessary abstraction predi- 
cates, according to the exactness criteria that we defined. The results suggest that it is 
possible to relax these criteria and still provide a guarantee that the relevant state space of 
the analyzed program has been explored. We leave this topic for future work. 

8.7. Comparison and Combination with Over-approximation Based Approaches. 

We should mention that the application of over-approximation based predicate abstraction 
to a Java version of RAX is described in detail in |33j . In that work, four different predicates 
were used to produce an abstract model that is bisimilar to the original program. In 
contrast, the work presented here allowed more aggressive abstraction to recover feasible 
counter-examples. Our technique explores transitions that are guaranteed to be feasible. 
In contrast, the over-approximation based techniques such as the ones from [H [TJ [22] may 
also explore transitions that are spurious and therefore could require additional refinement 
before reporting a real counter-example. 

As mentioned, over-approximation based abstraction techniques involve exponentially 
many theorem prover queries (in the number of predicates), at each iteration. This com- 
putation is performed regardless of the size of (the reachable portion of) the analyzed 
system. In our case, theorem prover queries are only performed during refinement and they 
involve only the reachable state space of the system under analysis. On the other hand, 
over-approximation based techniques are good at proving properties (as they compute ab- 
stractions that are coarser than the bisimulation quotient but sufficient to prove safety 
properties). We believe however that the technique presented here is complementary to 
over-approximation abstractions and it should combined (rather than compared) with such 
techniques. Our technique could be used for discovering efficiently feasible counter-examples 
in the space bounded by the abstraction predicates (that are used in the over-approximation 
analysis). In the future, we plan to study more the strengths and weaknesses of each ap- 
proach and to investigate their integration. 

9. Related Work 

Throughout the paper, we have already discussed the relationship between our work 
and predicate abstraction (see the previous section and also Section EJ where we compared 
our work with over-approximation approaches, in particular the work of Namjoshi and 
Kurshan [26J, and with under-approximation approaches using must transitions [3"|l3CHl31]). 
We discuss here other approaches that are closely related to ours. 

The work of Grumberg et al. [20] uses a refinement of an under-approximation to 
improve analysis of multi-process systems. The procedure in [20] checks models with an 
increasing set of allowed interleavings of the given processes, starting from a single inter- 
leaving. It uses SAT-based bounded model checking for analysis and refinement, whereas 
here we focus on explicit model checking and predicate abstraction, and we use weakest 
precondition calculations for abstraction refinement. 
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Another closely related work is that of Lee and Yannakakis |24j . which proposes an on- 
the-fly algorithm for computing the bisimulation quotient of an (infinite state) transition 
system. Similar to our approach, the algorithm from [23] traverses concrete transitions 
while computing blocks of equivalent states; if some transition is found to be unstable 
the block is split into sub-blocks. Note however that unlike [24] our algorithm is geared 
towards error detection and it is formulated in terms of predicate abstraction with a clear 
separation between state exploration and refinement. There are other important differences 
between our approach and the work presented in [23]. We use refinement globally while 
the block splitting in [23] is local. This makes the approach in [23] more efficient in the 
number of visited states. On the other hand, the global refinement has the advantage of 
faster propagating the new predicates across the system but it may lead to unnecessary 
refinement. As a consequence of this global refinement, our algorithm may not compute 
the bisimulation quotient (as in [23]) but rather just a bisimilar structure (due to extra 
refinement). We view the experimental comparison of the two approaches as an interesting 
topic for future work. 

In previous work [28j, we developed a technique for finding feasible counter-examples in 
abstracted programs. The technique essentially explores an under-approximation defined by 
the must abstract transitions (although the presentation is not formalized in these terms). 
The work presented here explores an under-approximation which is more precise than the 
abstract system defined by the must transitions. Hence it has a better chance of finding 
bugs while enabling more aggressive abstraction and therefore more state space reduction. 

Model-driven software verification [23] advocates the use of abstraction mappings during 
concrete model checking in a way similar to what we present here. In their approach, 
the abstraction function needs to be provided by the user. The CMC model checking 
tool [25j also attempts to store state information in memory using aggressive compressing 
techniques (which can be seen as a form of abstraction), while the detailed state information 
is kept on the stack. These techniques allow the detection of subtle bugs which can not 
be discovered by classical model checking, using e.g. breadth first search or by state-less 
model checking [15] . While these techniques use abstractions in an ad-hoc manner, our 
work contributes the automated generation and refinement of abstractions. 

Directed automated random testing (DART) [17] performs a concrete execution on 
random inputs and it collects the path constraints along the executed paths. These path 
constraints are then used to compute new inputs that drive the program along alternative 
paths. The approach in [T7] is similar to ours as it combines concrete program execution 
with a symbolic analysis. However, DART applies only to sequential programs, not to 
concurrent programs as we do here. Moreover, DART attempts to cover all the feasible 
paths through the program, not the reachable (abstract) states as we do in our approach. 
DART does not perform any state matching, and therefore it can not detect if an (abstract) 
state has been visited before. As a result, DART can potentially explore redundant states, 
e.g. for looping, reactive, programs. Another (methodological) difference is that DART 
uses symbolic evaluation while our method uses predicate abstraction with refinement. 

Dataflow and type-based analyzes have been used to check safety properties of soft- 
ware (e.g. [32]). Unlike our work, these techniques analyze over-approximations of system 
behavior and may generate false reports due to infeasible paths. 
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10. Conclusions and Future Work 

We presented a model checking algorithm based on refinement of under-approximations, 
which effectively preserves the defect detection ability of model checking in the presence 
of powerful abstractions. The under- approximation is obtained by traversing the concrete 
transition system and performing the state matching on abstract states computed by pred- 
icate abstraction. The refinement is done by checking exactness of abstractions with the 
use of a theorem prover. We illustrated the application of the algorithm for checking safety 
properties of concurrent programs. In the future, we plan to investigate whether we can 
extend the algorithm with property driven refinement and with checking liveness properties. 
We also plan to investigate the integration of our approach with over-approximation based 
abstraction refinement and to do an extensive evaluation on large systems. 
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